PGP SIGNED MESSAGE-----
CA-2003-26 Multiple Vulnerabilities in SSL/TLS
issue date: October 1, 2003
Last revised: --
revision history is at the end of this file.
versions prior to 0.9.7c and 0.9.6k
* Multiple SSL/TLS implementations
* SSLeay library
are multiple vulnerabilities in different implementations of the
Secure Sockets Layer (SSL) and Transport Layer Security (TLS)
protocols. These vulnerabilities occur primarily in Abstract Syntax
Notation One (ASN.1) parsing code. The most serious vulnerabilities
may allow a remote attacker to execute arbitrary code. The common
impact is denial of service.
TLS are used to provide authentication, encryption, and
integrity services to higher-level network applications such as HTTP.
Cryptographic elements used by the protocols, such as X.509
certificates, are represented as ASN.1 objects. In order to encode and
decode these objects, many SSL and TLS implementations (and
cryptographic libraries) include ASN.1 parsers.
is a widely-deployed open source implementation of the SSL and
TLS protocols. OpenSSL also provides a general-purpose cryptographic
library that includes an ASN.1 parser.
National Infrastructure Security Co-ordination Centre (NISCC)
has developed a test suite to analyze the way SSL and TLS
implementations handle exceptional ASN.1 objects contained in client
and server certificate messages. Although the test suite focuses on
certificate messages, any untrusted ASN.1 element may be used as an
attack vector. An advisory from OpenSSL describes as vulnerable "Any
application that makes use of OpenSSL's ASN1 library to parse
untrusted data. This includes all SSL or TLS applications, those using
S/MIME (PKCS#7) or certificate generation routines."
are two certificate message attack vectors. An attacker can send
crafted client certificate messages to a server, or attempt to cause
client to connect to a server under the attacker's control. When the
client connects, the attacker can deliver a crafted server certificate
message. Note that the standards for TLS (RFC 2246) and SSL 3.0 state
that a client certificate message "...is only sent if the server
requests a certificate." To reduce exposure to these types of attacks,
an SSL/TLS server should ignore unsolicited client certificate
has published two advisories describing vulnerabilities in
OpenSSL (006489/OpenSSL) and other SSL/TLS implementations
(006489/TLS). The second advisory covers multiple vulnerabilities in
many vendors' products. Further details, including vendor status
information, are available in the following vulnerability notes.
- OpenSSL ASN.1 parser insecure memory deallocation
A vulnerability in the way OpenSSL deallocates memory used to store
ASN.1 structures could allow a remote attacker to execute arbitrary
code with the privileges of the process using the OpenSSL library.
(Other resources: NISCC/006490/OpenSSL/3, OpenSSL #1, CAN-2003-0545)
- OpenSSL contains integer overflow handling ASN.1 tags (1)
An integer overflow vulnerability in the way OpenSSL handles ASN.1
tags could allow a remote attacker to cause a denial of service.
(Other resources: NISCC/006490/OpenSSL/1, OpenSSL #2, CAN-2003-0543)
- OpenSSL contains integer overflow handling ASN.1 tags (2)
A second integer overflow vulnerability in the way OpenSSL handles
ASN.1 tags could allow a remote attacker to cause a denial of service.
(Other resources: NISCC/006490/OpenSSL/1, OpenSSL #2, CAN-2003-0544)
- OpenSSL does not securely handle invalid public key when
configured to ignore errors
A vulnerability in the way OpenSSL handles invalid public keys in
client certificate messages could allow a remote attacker to cause a
denial of service. This vulnerability requires as a precondition that
an application is configured to ignore public key decoding errors,
which is not typically the case on production systems.
(Other resources: NISCC/006490/OpenSSL/2, OpenSSL #3)
- OpenSSL accepts unsolicited client certificate messages
OpenSSL accepts unsolicited client certificate messages. This could
allow an attacker to exploit underlying flaws in client certificate
handling, such as the vulnerabilities listed above.
(Other resources: OpenSSL #4)
- Multiple vulnerabilities in SSL/TLS implementations
Multiple vulnerabilities exist in different vendors' SSL/TLS
implementations. The impacts of these vulnerabilities include remote
execution of arbitrary code, denial of service, and disclosure of
sensitive information. VU#104280 covers an undefined set of
vulnerabilities that affect SSL/TLS implementations from many
(Other resources: NISCC/006490/TLS)
of these vulnerabilities vary. In almost all, a remote
attacker could cause a denial of service. For at least one
vulnerability in OpenSSL (VU#935264), a remote attacker may be able
execute arbitrary code. Please see Appendix A, the Systems Affected
section of VU#104280, and the OpenSSL vulnerability notes for details.
or apply a patch
the OpenSSL vulnerabilities, upgrade to OpenSSL 0.9.7c or
OpenSSL 0.9.6k. Alternatively, upgrade or apply a patch as directed
your vendor. Recompile any applications that are statically linked to
for the other SSL/TLS vulnerabilities covered by
VU#104280, please see Appendix A and the Systems Affected section of
Appendix A. Vendor Information
contains information provided by vendors. When vendors
report new information, this section is updated, and the changes are
noted in the revision history. If a vendor is not listed below, we
have not received their authenticated, direct statement. Further
vendor information is available in the Systems Affected sections of
the vulnerability notes listed above.
Network Security AB
configuration of AppGate is not vulnerable. However
some extra functionality which administrators can enable manually
may cause the system to become vulnerable. For more details check
the AppGate support pages at http://www.appgate.com/support.
Vulnerable. This is fixed in Mac OS X 10.2.8 which is
available from http://www.apple.com/support/
Firewall: Not vulnerable
As of version 8.3, Clavister Firewall implements an optional HTTP/S
server for purposes of user authentication. However, since this
implementation does not support client certificates and has no
ASN.1 parser code, there can be no ASN.1-related vulnerabilities as
far as SSL is concerned.
versions of Clavister Firewall do not implement any SSL
supports OpenSSL through its Cray Open Software (COS)
package. The OpenSSL version in COS 3.4 and earlier is vulnerable.
Spr 726919 has been opened to address this.
BIG-IP, 3-DNS, ISMan and Firepass are vulnerable. F5
will have ready security patches for each of these products. Go to
ask.f5.com for the appropriate security response instructions for
Web Server is NOT Vulnerable to this issue.
The AIX Security Team is aware of the issues discussed in CERT
Vulnerability Notes VU#255484, VU#380864, VU#686224, VU#935264 and
is available for AIX via the AIX Toolbox for Linux. Please
note that the Toolbox is made available "as-is" and is unwarranted.
The Toolbox ships with OpenSSL 0.9.6g which is vulnerable to the
issues referenced above. A patched version of OpenSSL will be
provided shortly and this vendor statement will be updated at that
note that OpenSSH, which is made available through the
Expansion Pack is not vulnerable to these issues.
IBM eServer Platform Response
For information related to this and other published CERT Advisories
that may relate to the IBM eServer Platforms (xSeries, iSeries,
pSeries, and zSeries) please go to
to access this information you will require a Resource
Link ID. To subscribe to Resource Link go to
http://app-06.www.ibm.com/servers/resourcelink and follow the steps
should be refered to firstname.lastname@example.org.
Networks is aware of this vulnerablity and will issue a
security advisory when our investigation is complete.
code included in domestic versions of JUNOS Internet
Software that runs on all M-series and T-series routers is
susceptible to these vulnerabilities. The SSL library included in
Releases 2.x and 3.x of SDX provisioning software for E-series
routers is susceptible to these vulnerabilities.
Corrections for all the above vulnerabilities are included in all
versions of JUNOS built on or after October 2, 2003. Customers
should contact Juniper Networks Technical Assistance Center (JTAC)
for instructions on obtaining and installing the corrected code.
SDX software built on or after October 2, 2003, contain SSL
libraries with corrected code. Contact JTAC for instructions on
obtaining and installing the corrected code.
referenced by VU#255484, VU#380864, and
VU#935264 have been corrected by packages released in our
sent on October 1, 2003
* EWS/UP 48 Series operating system
- is NOT vulnerable.
It doesn't include SSL/TLS implementation.
is reviewing our application portfolio to identify products
affected by the vulnerabilities reported by the NISCC. We have the
patched OpenSSL code and are reviewing and testing it internally,
and preparing patches for our products that are affected. We expect
the first patches to become available via our Security Alerts web
site (http://support.novell.com/security-alerts) during the week of
6 Oct 2003. Customers are urged to monitor our web site for patches
to versions of our products that they use and apply them
see OpenSSL Security Advisory [30 September 2003].
GNU/*/Linux currently uses OpenSSL 0.9.6 branch and thus
was affected by the ASN.1 parsing and client certificate handling
vulnerabilities pertaining to those versions of OpenSSL. It was not
affected by the potentially more serious incorrect memory
deallocation vulnerability (VU#935264, CVE CAN-2003-0545) that is
specific to OpenSSL 0.9.7.
as of 2003/10/01 has been updated to OpenSSL 0.9.6k,
thus correcting the vulnerabilities.
distributes OpenSSL 0.9.6 in various Red Hat Linux
distributions and with the Stronghold secure web server. Updated
packages which contain backported patches for these issues are
available along with our advisories at the URL below. Users of the
Red Hat Network can update their systems using the 'up2date' tool.
Linux 7.1, 7.2, 7.3, 8.0:
distributes OpenSSL 0.9.7 in Red Hat Linux 9. Updated
packages which contain backported patches for these issues are
available along with our advisory at the URL below. Users of the
Red Hat Network can update their systems using the 'up2date' tool.
Networks routers are not vulnerable.
aware of the issue and are diligently working on a fix.
receiving the vulnerabilities reported by CERT and
NISCC. CAN-2003-0543 [VU#255484], CAN-2003-0544 [VU#380864] and
CAN-2003-0545 [VU#935264] have been addressed by SGI Security
information is available at this time.
protection of all our customers, SGI does not disclose,
discuss or confirm vulnerabilities until a full investigation has
occurred and any necessary patch(es) or release streams are
available for all vulnerable and supported SGI operating systems.
Until SGI has more definitive information to provide, customers are
encouraged to assume all security vulnerabilities as exploitable
and take appropriate steps according to local site security
policies and requirements. As further information becomes
available, additional advisories will be issued via the normal SGI
security information distribution methods including the wiretap
mailing list on http://www.sgi.com/support/security/
has published a security advisory that addresses the
issues in vulnerability notes VU#255484 and VU#104280. The advisory
is at http://www.stonesoft.com/document/art/3040.html
requires the OpenSSL libraries for compilation (POSIX) or
OpenSSL DLLs for runtime operation (Windows). While Stunnel itself
is not vulnerable, it's dependence on OpenSSL means that your
installation likely is vulnerable.
compile from source, you need to install a non-vulnerable
version of OpenSSL and recompile Stunnel.
use the compiled Windows DLLs from stunnel.org, you should
download new versions which are not vulnerable. OpenSSL 0.9.7c DLLs
are available at
version of Stunnel source or executable will be made
available, because the problems are inside OpenSSL -- Stunnel
itself does not have the vulnerability.
products are affected. Update packages are being tested
and will be published on Wednesday, October 1st.
VanDyke Software products are subject to these
vulnerabilities due to the fact that OpenSSL is not used in any
Appendix B. References
Vulnerability Note VU#935264 -
* CERT/CC Vulnerability Note VU#255484 -
* CERT/CC Vulnerability Note VU#380864 -
* CERT/CC Vulnerability Note VU#686224 -
* CERT/CC Vulnerability Note VU#732952 -
* CERT/CC Vulnerability Note VU#104280 -
* OpenSSL Security Advisory [30 September 2003] -
* NISCC Vulnerability Advisory 006489/OpenSSL -
* NISCC Vulnerability Advisory 006489/TLS -
* ITU ASN.1 documentation -
discovered and researched these vulnerabilities; this document
is based on their work. We would like to thank Stephen Henson of the
OpenSSL project and the Oulu University Secure Programming Group
(OUSPG) for their previous work in this area.
can be directed to the author, Art Manion.
is available from:
CERT/CC Contact Information
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
personnel answer the hotline 08:00-17:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.
urge you to encrypt sensitive information sent by email.
Our public PGP key is available from
prefer to use DES, please call the CERT hotline for more
and other security information are available from
our web site
to the CERT mailing list for advisories and bulletins,
send email to email@example.com. Please include in the body of your
and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
for use, disclaimers, and sponsorship information
2003 Carnegie Mellon University.
1, 2003: Initial release
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
-----END PGP SIGNATURE-----